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Abstract — This paper develops a novel framework for sharing 
secret keys using existing Automatic Repeat reQuest (ARQ) 
protocols. Our approach exploits the multi-path nature of the 
wireless environment to hide the key from passive eavesdroppers. 
The proposed framework does not assume the availability of 
any prior channel state information (CSI) and exploits only 
the one bit ACK/NACK feedback from the legitimate receiver. 
Compared with earlier approaches, the main innovation lies 
in the distribution of key bits among multiple ARQ frames. 
Interestingly, this idea allows for achieving a positive secrecy rate 
even when the eavesdropper experiences more favorable channel 
conditions, on average, than the legitimate receiver. In the sequel, 
we characterize the information theoretic limits of the proposed 
schemes, develop low complexity explicit implementations, and 
conclude with numerical results that validate our theoretical 
claims. 

I. Introduction 

Wireless communication, because of its broadcast nature, 
is vulnerable to eavesdropping and other security attacks. 
Therefore, pushing wireless networking to its full potential 
requires finding solutions to its intrinsic security problems. 
In this paper, we consider a physical layer-based scheme 
to share a secret key between two users (Alice and Bob) 
communicating over a fading channel in the presence of a 
passive eavesdropper (Eve). The private key can then be used 
to secure further exchange of information. 

Arguably, the recent flurry of interest on wireless physical 
layer secrecy was inspired by Wyner's wiretap channel [1], [2]. 
Under the assumption that Eve's channel is a degraded version 
of Bob's, Wyner showed that perfectly secure communication 
is possible by hiding the message in the additional noise level 
seen by Eve. The effect of slow fading on the secrecy capacity 
was studied later. In particular, by appropriately distributing 
the message across different fading realizations, it was shown 
that the multi-user diversity gain can be harnessed to enhance 
the secrecy capacity, e.g. [3], [8]. Another frame of work [4] 
proposed using the well-known Hybrid ARQ protocols to 
facilitate the exchange of secure messages between Alice and 
Bob. 

This paper extends this line of work in two ways. First, 
by distributing the key bits over multiple ARQ frames, we 
establish the achievability of a vanishing probability of secrecy 
outages [4] at the expense of a larger delay. Interestingly, 
using this approach, a non-zero perfectly secure key rate is 
achievable even when Eve is experiencing a more favorable av- 
erage signal-to-noise ratio (SNR) than Bob (unlike the scheme 
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Fig. 1. System model involves a legitimate receiver, Bob. with a feedback 
channel to the sender, Alice. Eve is a passive eavesdropper. We assume block 
fading channels that are independent of each other. 



proposed in [4]). Second, we develop explicit constructions for 
secrecy ARQ coding that enjoy low implementation complex- 
ity. The proposed scheme utilizes the ARQ protocol to create 
an erasure wiretap channel and then uses known ideas from 
coset coding to construct optimal codes for this channel [5]- 
[7]. 

The rest of this paper is organized as follows. Our system 
model is detailed in Section [ll] 



III provides the 



IS detailed in Section |II] Section 
information theoretic analysis of our model. Explicit secrecy 
coding schemes are developed in Section IV In Section |V] 
we present numerical results. Finally, Section VI summarizes 
our conclusions. 



II. System Model 

Our model, shown in Figure [T| assumes one transmitter 
(Alice), one legitimate receiver (Bob) and one passive eaves- 
dropper (Eve), all equipped with single antenna. We adopt a 
block fading model in which the channel is assumed to be fixed 
over one coherence interval and changes randomly from one 
interval to the next. In order to obtain rigorous information 
theoretic results, we consider the scenario of asymptotically 
large coherence intervals and allow for sharing the key across 
an asymptotically large number of those intervals. The finite 



delay case will be considered in Section IV In any particular 
interval, the signals received by Bob and Eve are respectively 



given by, 

y{ij) = 9bij)x{i,j) + Wb{i,j), (1) 
ziij) = geij)x{i,j) + Weii,j), (2) 

where x{i,j) is the i*^ transmitted symbol in the j*'' block, 
y{i,j) is the i*'' received symbol by Bob in the j*'' block, 
z{i,j) is the z*'' received symbol by Eve in the f"' block, gb{j) 
and gdj) are the complex block channel gains from Alice to 
Bob and Eve, respectively. Moreover, wi,{i, j) and We{i,j) are 
the zero-mean, unit-variance additive white complex Gaussian 
noise at Bob and Eve, respectively. We denote the block 
fading power gains of the main and eavesdropper channels 
by hf, = |(76(j)P and he = |ffe(j)P- We do not assume any 
prior knowledge about the channel state information at Alice. 
However, Bob is assumed to know gb{j) and Eve is assumed 
to know both gb{j) and gdj)- We impose the following short- 
term average power constraint 

E{\x{i,j)\^)<P. (3) 

Our model only allows for one bit of ARQ feedback 
between Alice and Bob. Each ARQ epoch is assumed to 
be contained in one coherence interval (i.e., fixed channel 
gains) and that different epochs correspond to independent 
coherence intervals (the same assumptions as [4]). We denote 
the constant rate used in each transmission frame by Rq 
bits/channel use. The transmitted packets are assumed to carry 
a perfect error detection mechanism that Bob (and Eve) used 
to determine whether the packet has been received correctly 
or not. Based on the error check. Bob sends back to Alice 
an ACK/NACK bit, through a public and error-free feedback 
channel. Eve is assumed to be passive (i.e., can not transmit); 
an assumption which can be justified in several practical 
settings. To minimize Bob's receiver complexity, we adopt 
the memoryless decoding assumption implying that frames 
received in error are discarded and not used to aid in future 
decoding attempts. 

III. Information Theoretic Foundation 

In our setup, Alice wishes to share a secret key W E W = 
{1, 2, • • • , M} with Bob. This key can be used for securing 
future data transmission. To transmit this key, Alice and Bob 
use an {M,in) code consisting of : 1) a stochastic encoder 
fm{-) at Alice that maps the key u; to a codeword G X"^, 
2) a decoding function (j): — > W which is used by Bob 
to recover the key. The codeword is partitioned into a blocks 
each of ni symbols where m = ani.ln this section, we focus 
on the asymptotic scenario where a — > oo and ni — > c». 

Alice starts with a random selection of the first block of ni 
symbols. Upon reception. Bob attempts to decode this block. 
If successful, it sends an ACK bit to Alice who moves ahead 
and makes a random choice of the second rii and sends it 
to Bob. Here, Alice must make sure that the concatenation 
of the two blocks belong to a valid codeword. As shown 
in the sequel, this constraint is easily satisfied. If an error 
was detected, then Bob sends a NACK bit to Alice. Here, we 



assume that the error detection mechanism is perfect which is 
justified by the fact that ni ^ oo. In this case, Alice replaces 
the first block of ni symbols with another randomly chosen 
block and transmits it. The process then repeats until Alice 
and Bob agree on a sequence of a blocks, each of length m 
symbols, corresponding to the key. 

The code construction must allow for reUable decoding at 
Bob while hiding the key from Eve. It is clear that the proposed 
protocol exploits the error detection mechanism to make sure 
that both Alice and Bob agree on the key (i.e., ensures reliable 
decoding). What remains is the secrecy requirement which is 
measured by the equivocation rate Re defined as the entropy 
rate of the transmitted key conditioned on the intercepted 
ACKs or NACKs and the channel outputs at Eve, i.e., 

Re = ^H{W\Z^,K\GlGl) , (4) 

where n is the number of symbols transmitted to exchange 
the key (including the symbols in the discarded blocks due to 
decoding errors, b — a^, = {K{1), ■ ■ ■ ,K{b)} denotes 
sequence of ACK/NACK bits, G\ and G\ are the sequences 
of channel coefficients seen by Bob and Eve in the h blocks, 
and = {Z{1), • • • , Z{n)} denotes Eve's channel outputs 
in the n symbol intervals. We limit our attention to the perfect 
secrecy scenario, which requires the equivocation rate Re to 
be arbitrarily close to the key rate. The secrecy rate Rg is said 
to be achievable if for any e > 0, there exists a sequence of 
codes (2"^^,m) such that for any m > m(e), we have 

Re = ^H{W\Z",K'',GlGl) > Rs-e (5) 

and the key rate for a given input distribution is defined as 
the maximum achievable perfect secrecy rate with this distri- 
bution. The following result characterizes this rate, assuming 
a Gaussian input distribution 

Theorem 1: For the memoryless ARQ , the perfect secrecy 
rate for Gaussian inputs for a given transmit power P is given 
by: 

Gs = max {Pr(i?o < log(l+/i6P))E[i?o-log(l+/ieP)]+}, 

Ra.P<P 

(6) 

where [a;]+ = max(0,a;). All logarithms in this paper are 
taken to base 2, unless otherwise stated. 

Proof: Here, we only give a sketch of the proof of 
achievability. Due to space limitations, the converse will be 
deferred to the journal paper version. The proof is given for 
a fixed average power P < P and transmission rate i?o- The 
key rate is then obtained by the appropriate maximization. 
Let Rs = Gg — S for some small ^ > and R = Rq — e. 
We first generate all binary sequences {V} of length mR and 
then independently assign each of them randomly to one of 
2nRs groups, according to a uniform distribution. This ensures 
that any of the sequences are equally likely to be within any 
of the groups. Each secret message w G {!,••• ,2"^=} is 
then assigned a group V(m;). We then generate a Gaussian 
codebook consisting of 2"i(^"^'^) codewords, each of length 
ni symbols. The codebooks are then revealed to Alice, Bob, 



and Eve. To transmit the codeword, Alice first selects a random 
group v{i) of niR bits, and then transmits the corresponding 
codeword, drawn from the chosen Gaussian codebook. If Alice 
receives an ACK bit from Bob, both are going to store this 
group of bits and selects another group of bits to send in 
the next coherence interval in the same manner. If a NACK 
was received, this group of bits is discarded and another is 
generated in the same manner. This process is repeated till both 
Alice and Bob have shared the same key w corresponding to 
nRs bits. We observe that the channel coding theorem implies 
the existence of a Gaussian codebook where the fraction of 
successfully decoded frames is given by 

TYl 

- =Pr(i?o <log(l + /i6P)), (7) 
n 

as Til oo. The equivocation rate at the eavesdropper can 
then be lower bounded as follows. 

nRe = H{W\Z^,K^,Gl,Gl) 

= H{W\Z"',Gl,G1) 

= H{W,Z'^\Gt,G''^)- H{Z"'\Gt,Gl) 

= H{W,Z"',X-^\Gl,G''^)-H{Z'^\Gl,Gl) 

-H{X'^\W,Z"',Gl,G'l) 
= H{X"'\GlGl)+H{W,Z"'\X"',Gl,G''^) 

-H{Z'^\Gl, Gl) - H{X"'\W, Z'", Gg, Gl) 
> H{X'^\Gl,Gfj + H{Z"'\X'^,Gl,Gl) 

-H{Z'^\Gl,Gl) - H{X"'\W,Z"' ,Gl,Gl) 

= i?(X™|G^,G^) 

-H{X'^\W,Z'^,Gl,Gl) 
= H{X"'\Z"', Gt, Gl) - H{X"'\W, Z™, Gl, G^) 

Y,H{X{j)\Z{j),G,{j),G,{j)) 

-H{X"'\W,Z"',Gl,Gl) 

> H{X{j)\Z{j),G,{j),G,{j)) 

-H{X'^\W,Z'^,Gl,Gl) 
= [H{X{j)\G,{3),G,{j)) 

-I{Xijy,Z{j)\Gt{j),G,{m 

-H{X'^\W,Z'^,Gl,Gl) 

> Y ni[Ro-log{l + h,ij)P)-e] 

jeMm 

-H{X"'\W,Z"',Gl,Gl) 



> 



(d) 



^ni{[i?o-log(l + /ie(j)P)]+-e} 



-H{X"'\W,Z"',Gl,Gl) 



nCs - H{X"'\W,Z"' ,Gl,G1) - me. 



(8) 



which does not allow Eve to benefit from the observations 
corresponding to the NACKed frames, (b) follows from the 
memoryless property of the channel and the independence 
of the X(j)'s, (c) is obtained by removing all those terms 
which correspond to the coherence intervals j ^ Mm, where 
J^m = {j G {!,••• ,a} : ^b(j) > Kij)}, and (d) follows 
from the ergodicity of the channel as n, m oo. Now 
we show that the term H{X'^\W, Z"^ ,Gl,Gl) vanishes as 
ni 00 by using a list decoding argument. In this Ust 
decoding, at coherence interval j, the wiretapper first con- 
structs a list Cj such that x(j) e Cj if (x(z),z(j)) are 
jointly typical. Let £ = £1 x £2 x • • • x £„. Given w, the 
wiretapper declares that x™ = (x™) was transmitted, if 
is the only codeword such that x"* e B{w) fl £, where B{w) 
is the set of codewords corresponding to the message w. If 
the wiretapper finds none or more than one such sequence, 
then it declares an error. Hence, there are two types of error 
events: 1) £\: the transmitted codeword x™ is not in C, 2) 
£2. 3x™ ^ xj" such that x™ G B{w) n C. Thus the error 
probability Pr(x™ ^ xj") = Pr(£:i U £2) < Pr{£i) + Pr{£2). 
Based on the Asymptotic Equipartition Property (AEP), we 
know that Pr(fi) < ei. In order to bound Pr(f2). we first 
bound the size of We let 



(x(i),z(j)) are jointly typical, 
otherwise. 



(9) 



Now 



E{||£,||} = E 5]0,(x(i)|z(i)) 

[x(i) 

< eJi+ Y M^jMj)) 

< 1+ Y E{<^,(xO-)|z(j))} 

^ ^ni([Ro-los{l+heU)P)-4'^ + ^) (jQ) 



Hence 



" E ni([flo-log(l+/»E(j)P)-e] + + ^) 



In the above derivation, (a) results from the independent choice 
of the codeword symbols transmitted in each ARQ frame 



Pr(f2) < E<^ J2 P^x™ G S(w;)) 

[x"'e£,x'"74xj" 
(a) 

< E{||£||2-"-^»} (12) 

„ E ni([iJo-log(l+/ieO)P)-e] + + J-) 

^ 2 — nHs2j = i ^ 1 ' 

^ ^-n^ii,-i E ([«o-log(l+/ieO)P)-«] + + ji;)j 



where (a) follows from the uniform distribution of the code- 
words in B{w). Now as ni oo and a — > oo, we get 

Pr(i52) 2^"('-'=i^''^'-'s+'^'') — 2^"(^"^^'^) 

where c = Pr(/ib > he). Thus, by choosing e > (S/c), the 
eiTor probability Pi{£2) as n ^ oo. Now using Fano's 
inequality, we get 



H{X"'\W,Z"\,G'i,G'',) < n6„ 







oo. 



Combining this with ([8]l, we get the desired result. ■ 
A few remarks are now in order 

1) It is intuitively pleasing that the secrecy key rate in 
(|6]l is the product of the probability of success at 
Bob and the expected value of the additional mutual 
information gleaned by Bob, as compared to Eve, in 
those successfully decoded frames. 

2) It is clear from (j6]) that a positive secret key rate is 
achievable under very mild conditions on the channels 
experienced by Bob and Eve. More precisely, unlike 
the approach proposed in [4], Theorem [T] establishes 
the achievability of a positive perfect secrecy rate by 
appropriately exploiting the ARQ feedback even when 
Eve's average SNR is higher than that of Bob. 

3) Theorem [T] characterizes the fundamental limit on secret 
key sharing and not message transmission. The differ- 
ence between the two scenarios stems from the fact that 
the message is known to Alice before starting the trans- 
mission of the first block whereas Alice and Bob can 
defer the agreement on the key till the last successfully 
decoded block. This observation was exploited by our 
approach in making Eve's observations of the frames 
discarded by Bob, due to failure in decoding, useless. 

4) We stress the fact that our approach does not require 
any prior knowledge about the channel state information. 
The only assumption is that the public feedback channel 
is authenticated and only Bob can send over it. 

5) The achievability of (j6]) hinges on a random binning 
argument which only establishes the existence of a cod- 
ing scheme that achieves the desired result. Our result, 
however, stops short of explicitly finding such optimal 
coding scheme and characterizing its encoding/decoding 
complexity. This observation motivates the development 
of the explicit secrecy coding scheme in the next section. 

6) The perfect secrecy constraint imposed in (jSj ensures 
that an eavesdropper with unlimited computational re- 
sources can not obtain any information about the key. 
In most practical scenarios, however, the eavesdropper 
is only equipped with limited computational power. The 
proposed scheme in the following section leverages this 
fact in transforming our ARQ secret sharing problem 
into an erasure-wiretap channel. 

IV. Explicit Secrecy Coding Schemes 

Inspired by the information theoretic results presented ear- 
lier, this section develops explicit secrecy coding schemes 
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Fig. 2. Erasure-wiretap channel equivalent model. 

that allow for sharing keys using the underlying memoryless 
ARQ protocol. The proposed schemes strive to minimize 
encoding/decoding complexity at the expense of a minimal 
price in perfoimance efficiency. We proceed in three steps. 
The first step replaces the random binning construction, used 
in the achievability proof of Theorem [T[ with an explicit coset 
coding scheme for the erasure-wiretap channel. As shown next, 
the erasure-wiretap channel is created by the ACK/NACK 
feedback and accounts for the computational complexity avail- 
able to Eve. In the second step, we limit the decoding 
delay by distributing the key bits over only a finite number 
of ARQ frames. Finally, we replace the capacity achieving 
Gaussian channel code with practical coding schemes in the 
third step. Overall, our three-step approach allows for a nice 
performance-vs-complexity tradeoff. 

The perfect secrecy requirement used in the information the- 
oretic analysis does not impose any limits on Eve's decoding 
complexity. The idea now is to exploit the finite complexity 
available at Eve in simplifying the secrecy coding scheme. 
To illustrate the idea, let's first assume that Eve can only 
afford maximum likelihood (ML) decoding. Hence, successful 
decoding at Eve is only possible when 



i?0 <log(l + /leP), 



(13) 



for a given transmit power level P. Now, using the idealized 
eiTor detection mechanism. Eve will be able to identify and 
erase the frames decoded in eiTor resulting in an erasure 
probability 



e = Pr(i?o >log(l + /ieP)). 



(14) 



In practice. Eve may be able to go beyond the performance 
of the ML decoder. For example. Eve can generate a list 
of candidate codewords and then use the error detection 
mechanism, or other means, to identify the correct one. In 
our setup, we quantify the computational complexity of Eve 
by the amount of side information Rc bits per channel use 
offered to it by a Genie. This side information reduces the 
erasure probability to 



eg = Pr(i?o-i?c >log(l + /ie^')), 



(15) 



since now the channel has to supply only enough mutual 
information to close the gap between the transmission rate 
Rq and the side information Rc. The ML performance can be 



obtained as a special case of (15 i by setting i?c = 



It is now clear that using this idea we have transformed our 
ARQ channel into an erasure-wiretap channel, as in Figure |2] 



In this equivalent model, we have a noiseless Unk between 
Alice and Bob, ensured by the idealized error detection 
algorithm, and an erasure channel between Alice and Eve. 
The following result characterizes the achievable performance 
over this channel 

Lemma 1: The secrecy capacity for the equivalent erasure- 
wiretap channel is 



Ce = max {i?oPr(i?o < log(l + h^P)) 

Ro,P<P 

Pr(i?o -Rc> log(l + KP))}. 



(16) 



The proof follows from the classical result on the erasure- 
wiretap channel and is omitted here for brevity. It is intuitively 
appealing that the expression in Lemma[T]is simply the product 
of the transmission rate per channel use, the probability of 
successful decoding at Bob, and the probability of erasure 
at Eve. The main advantage of this equivalent model is that 
it lends itself to the explicit coset LDPC coding scheme 
constructed in [5]-[7]. In summary, our first low complexity 
construction is a concatenated coding scheme where the outer 
code is a coset LDPC for secrecy and the inner one is a 
capacity achieving Gaussian code. The underlying memoryless 
ARQ is used to create the erasure-wiretap channel matched to 
this concatenated coding scheme. 

The second step is to limit the decoding delay resulting 
from the distribution of key bits over an asymptotically large 
number of ARQ blocks in the previous approach. To avoid 
this problem, we limit the number of ARQ frames used by 
the key to a finite number k. The implication for this choice 
is a non-vanishing value for secrecy outage probability, which 
is the probability of Eve obtaining correctly all k frames. For 
example, if we encode the message as the syndrome of the rate 
{k — l)/k parity check code then Eve will be completely blind 
about the key if at least one of the k ARQ frames is erased 
[5]-[7] (Here the distilled key is the modulo-2 sum of the key 
parts received correctly). The secrecy outage probability is 



Pout = Pr mill log(l + K{j)P) >Ro-Rc], (17) 

where he{l),...,he{k) are i.i.d. random variables drawn accord- 
ing to the distribution of Eve's channel. Assuming a Rayleigh 
fading distribution, we get 



(18) 



Under the same assumption, it is straightforward to see that 
the average number of Bernoulli trials required to transfer k 
ARQ frames successfully to Bob is given by 



2«o _ 1 
P 



resulting in a key rate 



(19) 



(20) 
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Fig. 3. Cs and Ce against SNR for Rc = (0, 3, 7). 



Therefore, for a given Rc and P, one can obtain a tradeoff 
between Pout and Rk by varying Rq. Our third, and final, step 
is to relax the assumption of a capacity achieving inner code. 
Now, we allow for practical coding schemes, including the 
possibility of uncoded transmission, with a finite frame length 
III. Simulation results are reported in the next section. 

V. Numerical Results 

Throughout this section we assume a Rayleigh fading chan- 
nel, for both Bob and Eve, and focus on the symmetric sce- 
nario where the average SNRs experienced by both nodes are 
the same, i.e., E (hf,) = E (he) = 1. Under these assumptions, 
the achievable secrecy rate in (j6]l becomes 

P^ 



maxexp 

Ro 



where Ei (x) = exp (— t) /tdt. 

Figure [3] gives the variation of Cs and Ce with SNR under 
different constraints on the decoding capabilities of Eve. It is 
clear from the figure that Ce can be greater than Cg- This can 
be the case for certain Rc and SNR values. For instance, in 
the case of Rc = 0, if Eve receives the transmitted packet 
with error, she discards it without any further attempts at 
decoding. The instantaneous secrecy rate becomes Rq, which 
is larger than that used in ^ Cs{i) — Ro~ log2(l + he{i)P) 
where Cs{i),hc{i) are the instantaneous secrecy rate, and 
Eve's channel power gain, respectively. Averaging over all 
fading states, we can get a greater Ce than Cs- It is worth 
noting that, under the assumptions of the symmetric scenario 
and the Rayleigh fading model, the scheme proposed in [4] is 
not able to achieve any positive secrecy rate. 

Next, we turn our attention to the delay-limited coding 
constructions proposed in Section IV Figures |4] and |5] show, 
for different Po and Rc, the tradeoff between secrecy outage 
probability versus key rate for the proposed rate (k—l)/ k coset 
secrecy coding scheme assuming an optimal inner Gaussian 
channel coding. Figure [4] gives key rate corresponding to a 
desired secrecy outage probability, given some values for Rq 
and Rc- As is evident from Figure |5] the key rate required 
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Fig. 4. Outage probability against key rate for Rc = 2, Ro = 4, 6, 7 and 
8, and an average SNR of 30 dB. 

to obtain a certain outage probability gets smaller as Rc 
increases. In Figure [6j we relax the optimal channel coding 
assumption and plot key rate for practical coding schemes 
or no coding, and finite frame lengthes (i.e., finite rii). The 
code used in the simulation is a punctured convolutional code 
derived from a basic 1/2 code with a constraint length of 7 and 
generator polynomials 133 and 171 (in octal). We assume that 
Eve is Genie-aided and can correct an additional 50 erroneous 
symbols (beyond the error correction capability of the channel 
code). From the figure, we see that the key rate increases with 
increasing SNR and then drops after reaching a peak value. 
Note that we fix the transmission rate and make it independent 
of SNR. A low SNR means more transmissions to Bob and 
a consequent low key rate. As SNR increases, while keeping 
the transmission rate fixed, the key rate increases. However, 
increasing SNR at Eve's receiver means an increased ability to 
correctly decode the codeword-carrying packets. This explains 
why the key rate curves peak and then decay with SNR. Note 
also that for a certain modulation and channel coding scheme, 
decreasing the packet size in bits lowers the key rate. Reducing 
the packet size increases the probability of correct decoding 
by Bob and, thus, decreases the number of transmissions. 
However, it also increases the probability of correct decoding 
by Eve and the overall effect is a decreased key rate. 

VI. Conclusions 

This paper developed a novel overlay approach for sharing 
secret keys using existing ARQ protocols. The underlying idea 
is to distribute the key bits over multiple ARQ frames and 
then use the authenticated ACK/NACK feedback to create a 
degraded channel at the eavesdropper. Our results establish 
the achievability of non-zero secrecy rates even when the 
eavesdropper is experiencing a higher average SNR than the 
legitimate receiver It is worth noting that our approach does 
not assume any prior knowledge about the instantaneous CSI; 
only prior knowledge of the highest average SNR seen by 
the eavesdropper is needed. Moreover, we constructed a low 
complexity secrecy coding scheme by transforming our chan- 
nel to an erasure wiretap channel which lends itself to explicit 
coset coding approaches. Our theoretical claims were validated 
via numerical examples that demonstrate the efficiency of the 
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Fig. 5. Outage probability against key rate for Rq = 10, Rc = 3, 4, 5 and 
7, and an average SNR of 30 dB. 
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Fig. 6. The key rates required to obtain an outage of 10"^" against SNR 
for different packet sizes, Ki, = 240 and 480 bits, and different modulation 
schemes: uncoded BPSK, coded BPSK, and coded QPSK. 

proposed schemes. The most interesting part of our work 
is, perhaps, the fact that it demonstrates the possibility of 
sharing secret keys in wireless networks via rather simple 
modifications of the existing infrastructure which, in our case, 
corresponds to the ARQ mechanism. 
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